Skip to content
Permalink
Browse files
Regression(r223431): Crash under didReceiveChallenge in NetworkSessio…
…nCocoa

https://bugs.webkit.org/show_bug.cgi?id=183134
<rdar://problem/36339049>

Reviewed by Alex Christensen.

Like other delegates functions in this file, it is possible for didReceiveChallenge to get called
after _session has been nulled out. Other delegate functions already had early returns when
_session is null. However, such early return was missing in didReceiveChallenge.

This patch ends the early return to didReceiveChallenge so that we do not end up calling
_session->downloadID(taskIdentifier) on a null _session.

* NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]):

Canonical link: https://commits.webkit.org/198851@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229031 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
cdumez committed Feb 26, 2018
1 parent aee0343 commit de3300981308cdafbc36bd0480c3635166bf1334
Showing with 24 additions and 1 deletion.
  1. +18 −0 Source/WebKit/ChangeLog
  2. +6 −1 Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
@@ -1,3 +1,21 @@
2018-02-26 Chris Dumez <cdumez@apple.com>

Regression(r223431): Crash under didReceiveChallenge in NetworkSessionCocoa
https://bugs.webkit.org/show_bug.cgi?id=183134
<rdar://problem/36339049>

Reviewed by Alex Christensen.

Like other delegates functions in this file, it is possible for didReceiveChallenge to get called
after _session has been nulled out. Other delegate functions already had early returns when
_session is null. However, such early return was missing in didReceiveChallenge.

This patch ends the early return to didReceiveChallenge so that we do not end up calling
_session->downloadID(taskIdentifier) on a null _session.

* NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]):

2018-02-26 Youenn Fablet <youenn@apple.com>

MessagePort is not always destroyed in the right thread
@@ -289,6 +289,11 @@ - (void)URLSession:(NSURLSession *)session dataTask:(NSURLSessionDataTask *)data

- (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler
{
if (!_session) {
completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
return;
}

auto taskIdentifier = task.taskIdentifier;
LOG(NetworkSession, "%llu didReceiveChallenge", taskIdentifier);

@@ -342,7 +347,7 @@ - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didRece
};
networkDataTask->didReceiveChallenge(challenge, WTFMove(challengeCompletionHandler));
} else {
auto downloadID = _session->downloadID(task.taskIdentifier);
auto downloadID = _session->downloadID(taskIdentifier);
if (downloadID.downloadID()) {
if (auto* download = WebKit::NetworkProcess::singleton().downloadManager().download(downloadID)) {
// Received an authentication challenge for a download being resumed.

0 comments on commit de33009

Please sign in to comment.